Videos

Published on February 27th, 2020 📆 | 1996 Views ⚑

0

What Is Threat Hunting and How to Get Started

Text to Voice

01:19 Using a SIEM for Threat Hunting
01:50 Your first Hunt
02:07 Modern Threat Hunting with MITRE ATT&CK
02:54 Behavioral Threat Hunting
04:09 Common Mistakes

Insider Risk Management is an often discussed, yet largely misunderstood topic. learn more about IRM in our free Ebook here: https://www.exabeam.com/library/insider-risk-management-adapting-to-the-evolving-security-landscape/

Summary

Threat hunting is the practice of looking for cyber threats that are already in your network. Unlike pen testing, where you're looking for vulnerabilities from the outside, threat hunting assumes the bad guys are already in and need to be found.

Threat hunting is a proactive approach to help solve this known problem. Threat hunting is also used to help validate security controls, and identify misconfigurations throughout the environment.

The most common tool used by a threat hunter is a SIEM, which holds the most data from across all of the systems used in an organization. Some may choose to use a security monitoring system like a firewall or an EDR tool.

Always start threat hunting with a hypothesis where you think there might be a compromise. Maybe it's a new APT, or you might be concerned that your service accounts are being abused. Maybe you are worried your admin's credentials have been stolen. Once you have your hypothesis, there are essentially three methods for threat hunting.

First, look for so-called indicators of compromise, or IoCs. These are things like AV signatures, malware hashes, blacklisted IP addresses, and the like. And this approach may sound right, but there are a lot of issues. There are hundreds of millions of IoCs. You may find one, but will probably be lacking context. And that's just one point in a chain of events.

A more modern approach to threat hunting uses the MITRE ATT&CK framework. The acronym stands for adversarial tactics, techniques, and common knowledge. The ATT&CK matrix shows the various techniques used at each tactical phase of an attack. Really, a step-by-step guide to what the attacker is doing.

You might focus on the various tactics and techniques an attacker might use to steal a credential. Still, that's a lot of permutations if you look at all of the paths through the ATT&CK matrix. Where do you start? How many paths do you follow? The MITRE framework is great, but it needs something more.

Which brings us to behavioral threat hunting. This uses machine learning to focus on unusual behavior, and connects them to the MITRE framework. For example, you could start your threat hunt for stolen credentials by asking the SIEM to show you the first time a set of credentials was used to access a certain system or VPN from a country for the first time.

You can look at unusual or anomalous behaviors and start with them. This is different from the IoC approach, because you're looking at normal employee behavior compared to unusual behavior and asking, "What happened?"

One last tactic is what's called the crown jewels approach. Every organization has them. Product designs, customer lists, health records. You might decide to look for unusual access patterns on these crown jewels. Again, behavioral threat hunting will likely be the easiest approach here.

Here are some common mistakes we've seen people make with threat hunting.

Using IoCs is a mistake. MITRE ATT&CK is a much better system. Combined with behavior, it's a killer combination.

Make sure your hypothesis is specific.

Don't just start slicing the data looking for outliers. You need a clear direction. If you want to be a good threat hunter, learn as much as you can about MITRE ATT&CK. Since behavior is so important, if you aren't already, familiarize yourself with what's called User and Entity Behavior Analytics, or UEBA.

Find a source to keep current on new malware and APTs, so you have a working knowledge of what you're up against.

Track breaches. Chances are, bad guys will try to reuse what worked. You should be aware of what that is.

Feel free to ask any questions you have in the comments below. We'll be sure to get back to you.

source

Tagged with: cyber security • cyber security training • cyber threat hunting • cyber threat intelligence • cybersecurity • Digital Forensics • exabeam • exabeam cybersecurity training • exabeam siem • exabeam threat hunting • exabeam ueba • hunting • incident response • information security • infosec • insider risk management • MITRE ATTu0026CK • Pen Test • penetration test • pentest • pentesting tutorials • security • SIEM • started • threat • threat detection • Threat Hunting • threat hunting tutorial • ueba • user behavior analytics